If you Google "Goatse" you might not like what you will see.
What happens when you cross an overpriced product with an overpriced cellphone provider?
A gaping iHole – in security, that is.
In the case of iPad and AT&T the end result was a minimum confirmed 114,000 email addresses of iPad owners, associated with numerical codes of iPad devices (serial numbers) leaked on the Internet.
Although the perpetrators are apparently French “white hat” security experts – appropriately named “Goatse” in honor of the classic Goatse.cx shocker web site – the list of email addresses was leaked as a “proof of concept”.
Pretty much, what happened was the result of AT&T badly programming a public form that interacts with the AT&T customer database; instead of ensuring the queries are only permitted from within the particular domain, the script allowed remote queries.
All that the Goatse guys had to do was feed a copy of the script with a sequential code matching that of iPad devices; the returned data included customer email addresses, if these matched a valid iPad serial number.
The same flaw – not using hashed or scrambled data but instead a sequential id numbering system – was used initially by Sedo in the early days of their auction system. After we pointed out to them that it was a security flaw exposing raw data to anyone willing to ping the auction database with a 3-line script, Sedo quickly patched their system. We’re not sure if they laid off the programmer though. 😀
Bottom line: early adopters of new devices should realize that they might be trading in their private data for the thrill of a new gadget.
In an interesting twist to the Goatse.cx saga, the original shocker domain was apparently sold via Rick Latona’s newsletter in 2009, according to Wikipedia.
